Spammers, the Pioneers of Going Green
Posted by Ran Mosessco on 04 February 2011 01:01 AM
As we have noted, spam levels are starting to climb back up. Here at Websense Security Labs™, we want to highlight a familiar campaign theme that has been repackaged by spammers, as seen by our ThreatSeeker™ Network.
Websense messaging customers have been protected against this attack with ACE.
Around mid-January, we started to see a campaign of emails trying to recruit the recipient to help with payment processing in Australia. This is typically the type of money-laundering scam where victims are offered payment for transferring money through their private bank account. Naturally, the most likely outcome is that the "payment processing agents" don't gain any money, but instead lose their own money. They may also be prosecuted by the authorities as an accomplice to the crime.
We still see the familiar email messages with the full offer outlined in the body of the message (see figures 8 and 9 below). In this campaign, however, to avoid anti-spam products, the criminals have introduced a different type of message. These messages use much more generic text with less suspicious wording, and contain links to compromised Web sites. This way, the text (which is randomized) doesn't trigger content rules. What's more, since the links go to domains with good reputations, the spammers hope to bypass reputation-based filtering.
If all this sounds familiar, you're right: this is the same technique spammers were using in pharmaceutical and OEM software spam campaigns back in October 2010. (These are still going on, by the way. See figure 4).
As long as we can remember here at Websense Security Labs™, spammers have been recycling as much as possible, from expired domain names to images, and, of course, HTML templates. In this case, we see an age-old scam get new life when it's repackaged in a template already used for pharmaceutical spam.
So, let's follow the pictures to take a look at this enticing, career changing, offer.
The messages arrive in these formats:
But the older style is still in the wild:
Doesn't this look like the pharmaceutical spam we've been seeing since last October?
And, lo and behold, this template has been appearing in dating spam, yet another recycling effort:
Beyond the similar physical appearance of the examples, the HTML source shows common structures that lead us to believe the templates came from the same author. The URL query structure is also very similar, providing a further hint to the common source. Most, but not all, of the messages also share some common header attributes.
Admittedly, it initially seems like a stretch to compare the first two examples (figures 1 and 2) to the older style, but without going into specifics, we can say the HTML source shows how spammers like to recycle templates. The URL and header patterns are too similar to be a coincidence.
Some of the many subject lines are:
A wonderful job offer for you!
Clicking the link in the message leads you to a page on a compromised site, hosting a spoofed version of a legitimate job search site:
Hoping for some extra cash, I decided to apply, and shortly afterward, I got an email from a gentleman calling himself Daniel Chan:
Now, this is more like it! This is what we're used to seeing in our inboxes, like this job scam sent by the Cutwail botnet:
Or this more old school attempt:
Back to the original scam attempt, when I check out the Web site that Mr. Chan provided, I can see how serious this operation is:
And, luckily for me, the job is still available:
A quick check of the domain information of this respectable company shows it was registered on Dec 17, 2010 for 1 year.
Not planning to stay in business very long, I guess...a quick check in Google leads us to this ScamFraudAlert blog post.
As you can see, the template is used for around 20 other domains (something else we've seen done for a couple of years). The language is far from the broken English used by older fraud attempts. There is a very large FAQ section trying to convince visitors that everything is legitimate.
By omitting the target site and job details from the email message, the criminals are trying to increase the chance that a few uninformed users will fall into the trap, however unlikely that may be.
Using links to pages on compromised, legitimate sites, while still crude, can help bypass spam filters. Avoiding "incriminating" phrases and using more generic randomized text also make it more difficult to for content-based filtering.
We predict more of these attempts in the future, most likely using more sophisticated, spoofed sites that will try to snare more victims.
The more general conclusion we can derive from this is that even smaller-scale scam operations benefit from spammers' botnets, which make it easy to reach more victims. The spammers can easily create new campaigns (for their "customers") by recycling existing templates, and then automate the "repackaging" process that uses compromised domains, URL shorteners, or free hosting domains.
As always, we recommend that you never click on any links found in unfamiliar emails, and that you use common sense. If an offer sounds too good to be true, it probably is.
Now, excuse me, but there's a beautiful woman who viewed my profile online (figure 5) and fell in love with me. I have got to follow up on that...
Read more »